Redis 2.6.7 Sentinel SSL Errors in sentinel logs

[irfanyil]

I have a strange question. I by all rights believe I have a fully functional 3 node (3 sentinel node, 2 replicas) working with Redis 6.2.7 on Rocky Linux 8.8 The client key appears to work and I get responses from all nodes as expected.

However, my logs for all 3 nodes are spamming:

Error accepting a client connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (conn: fd=377)

Even at the lowest logging level I believe they have, warning, this keeps happening. Am I missing something and I actually DO have a problem or is there a bug and a way to get this to stop spewing this beyond turning off logging?

basically configuration as below of

Redis server v=6.2.7 sha=00000000:0 malloc=jemalloc-5.1.0 bits=64 build=56aeeede275be948

sentinel.conf

port 0 tls-port 26379 tls-cert-file "/path/xxx.crt" tls-key-file "/path/xxx.key" tls-ca-cert-file "/path/xxx.crt" tls-replication yes tls-auth-clients no

redis.conf

port 0 tls-port 6380 tls-cert-file "/path/xxx.crt" tls-key-file "/path/xxx.key" tls-auth-clients optional tls-replication yes

[NickCraver]

Perhaps it's trying SSL3 by default and the server wants something newer? I'd try setting sslProtocols in your connection as a starting point (docs here: https://stackexchange.github.io/StackExchange.Redis/Configuration#configuration-options)

[irfanyil]

Hi Nick,

Thank you for reply, our clients has already used tlsv1.2 and it was activated in default TLSv1.2 and TLSv1.3 are enabled in redis.conf and also we displayed tls version for clients via Wireshark on tcpdump, it's seems to fine for the connection we couldn't display as SSL3 connection problem. It's as like bug something on this current 6.2.7 versions, we used same certifications on clients. I have checked this error messages on webpages many people has a like that error messages while using redis in TLS connection.

# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended
# that older formally deprecated versions are kept disabled to reduce the attack surface.
# You can explicitly specify TLS versions to support.
# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
# To enable only TLSv1.2 and TLSv1.3, use:
#
#tls-protocols "TLSv1.2"

[NickCraver]

@irfanyil Ultimately I'm guessing here, as this is a server config issue (perhaps it wasn't built with OpenSSL? - it is optional). My guess would be you're attempting to connect to a server with TLS that isn't actually using TLS at all, either by its configuration or stripped along the way behind some reverse proxy. We can only advise on the client config here which is: match the server, but it looks like what the server expects isn't clear.

I'd go back to redis-cli and try connecting minimally that way to see what happens.

[NickCraver]

Advice above - closing out to cleanup here, happy to re-open if we have more info.